IETF Logo Mail Archive

Re: [spring] Benjamin Kaduk's Discuss on draft-ietf-spring-srv6-network-programming-26: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Mon, 28 December 2020 23:29 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCE1E3A0EC4; Mon, 28 Dec 2020 15:29:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gY-0ZZ1vYQ1s; Mon, 28 Dec 2020 15:29:06 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E285D3A0EBF; Mon, 28 Dec 2020 15:29:05 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0BSNSt2A015753 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 28 Dec 2020 18:28:59 -0500
Date: Mon, 28 Dec 2020 15:28:54 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Pablo Camarillo (pcamaril)" <pcamaril@cisco.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-spring-srv6-network-programming@ietf.org" <draft-ietf-spring-srv6-network-programming@ietf.org>, "spring-chairs@ietf.org" <spring-chairs@ietf.org>, "spring@ietf.org" <spring@ietf.org>, Bruno Decraene <bruno.decraene@orange.com>, Joel Halpern <jmh@joelhalpern.com>
Message-ID: <20201228232854.GJ89068@kduck.mit.edu>
References: <160753350153.28997.1345859562639063746@ietfa.amsl.com> <SA2PR11MB5082504972845833E0F12FF6C9CB0@SA2PR11MB5082.namprd11.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <SA2PR11MB5082504972845833E0F12FF6C9CB0@SA2PR11MB5082.namprd11.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/Yh614fdKaO1rENjb--yCg1ICyEk>
Subject: Re: [spring] Benjamin Kaduk's Discuss on draft-ietf-spring-srv6-network-programming-26: (with DISCUSS and COMMENT)
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Dec 2020 23:29:09 -0000

Hi Pablo,

On Thu, Dec 10, 2020 at 06:01:58PM +0000, Pablo Camarillo (pcamaril) wrote:
> Hi Ben,
> 
> Many thanks for your time on this document.
> We’ve published rev27 of the document with the changes.  Details inline with [PC].
> https://tools.ietf.org/html/draft-ietf-spring-srv6-network-programming-27

Thanks for the updates; I've cleared my discuss in the datatracker.

I'll trim the resolved stuff and just reply on a couple remaining points
inline...

> 
> -----Original Message-----
> From: Benjamin Kaduk via Datatracker <noreply@ietf.org> 
> Sent: miércoles, 9 de diciembre de 2020 18:05
> To: The IESG <iesg@ietf.org>
> Cc: draft-ietf-spring-srv6-network-programming@ietf.org; spring-chairs@ietf.org; spring@ietf.org; Bruno Decraene <bruno.decraene@orange.com>; Joel Halpern <jmh@joelhalpern.com>; jmh@joelhalpern.com
> Subject: Benjamin Kaduk's Discuss on draft-ietf-spring-srv6-network-programming-26: (with DISCUSS and COMMENT)
> 
> Section 4.16.1.2
> 
>    As a reminder, [RFC8754] defines in section 5 the SR Deployment Model
>    within the SR Domain [RFC8402].  Within this framework, the
>    Authentication Header (AH) is not used to secure the SRH as described
>    in Section 7.5 of [RFC8754].
> 
> (repeating from the previous thread as a placeholder) I think we need another sentence or clause here to clarify why this statement is relevant, e.g., "Thus, while the AH can detect changes to the IPv6 header chain, it will not be used in combination with the SRH, so use of PSP will not cause delivery failure due to AH validation checks."
> 
> [PC] What about this?
> <OLD>
> Within this framework, the Authentication Header (AH) is not used to secure the SRH as described in Section 7.5 of [RFC8754].
> </OLD>
> <PROPOSAL>
> Within this framework, the Authentication Header (AH) is not used to secure the SRH as described in Section 7.5 of [RFC8754]. Hence, the discussion of applicability of PSP along with AH usage is beyond the scope of this document.
> </PROPOSAL>

That seems okay, thanks.

> Section 9
> 
> There seem to be some security considerations relating to the use of PSP, in that the egress node loses visibility into which policy was used for a given packet, so all packets from all policies that egress via that SID are in the same anonymity (and policy!) set.  In particular, even if an HMAC TLV was present in the SRH, it is not available and cannot be validated.  I recognize that the headend (or whatever entity is assigning SR policy) should know when such validation would be intended to occur and not assign a policy incompatible with it, but there are still new considerations in the sense that the headend needs to be aware of these considerations.
> 
> [PC] As part of the comments from Alvaro we added this text which I believe covers that point:
> “The headend policy definition should be consistent with the specific
>    behavior used and any local configuration”
> 
> (repeating as a placeholder from the previous thread) I think we should also say that in the absence of the HMAC TLV, valid FUNC and ARG values on any given node may be guessable and spoofable, along with the standard disclaimer that risks are minimal since all nodes in the SR domain are assumed to be trusted.  This is distinct from the already-extant ability to spoof a SID in that the underlying structure in the SID may allow the attacker to induce behavior that was never intended to be a SID, for example if the implementation logically separates FUNC and ARG processing and the attacker makes a combination that was never advertised.
> 
> [PC] I believe you are making an implementation assumption on how SIDs are matched at a node. As a reminder RFC8754 states that “When an SRv6-capable node receives an IPv6 packet, it performs a longest-prefix-match lookup on the packet's destination address.”. Thus, the ability to spoof a particular FUNCT is the same as the ability to spoof any other IP address on the node. In the context of SRv6, this is mitigated by using the SR Domain as described in RFC8754 and -in particular Section 7.2-.

I'm definitely making implementation assumptions, yes.  It is possible to
implement it in a way that does not suffer the potential issue, though
there is a perhaps-tempting way to implement it that does suffer from the
issue.

In particular, I'm less concerned about spoofing FUNCT (as you note, it's
similar to spoofing other things, including other SIDs) than about spoofing
ARG.  The ability to encode semantic information (even when the semantics
are only known to the one node) in a part of the IP address in this manner
seems like a fairly novel construction, and I was hoping to emphasize that
care should be taken when implementing the parser.

Thanks,

Ben

v2.30.2 | Report a Bug | By Email | System Status